Six Patches On Microsoft's July Patch Day

[Peaches]

15 July 2009, 11:24

Six patches on Microsoft's July patch day

As planned, Microsoft has released six security packages for the July patch day, including one to fix the vulnerability in DirectShow which is already being actively exploited. Three of the update bundles are classed as "critical". As well as DirectShow (part of DirectX), these affect the Video ActiveX control and the Windows Embedded OpenType Font Engine. The company rates the updates for Virtual PC and Server, Office 2007 and ISA Server 2006 as "important". Microsoft expects exploits to appear for all of the vulnerabilities. The updates for the font engine, Virtual PC and Server and ISA Server require a system restart.

The DirectShow update (MS09-028) patches DirectX 7.0 and 8.1 for Windows 2000 and 9.0 for Windows 2000, XP and Server 2003. DirectX 10 for Vista and Server 2008 is not affected. The update includes a total of three patches. One fixes the publicly known DirectShow vulnerability, while the other two relate to vulnerabilities well-concealed from the public. The bugs can be triggered when processing QuickTime media data and can be used to execute arbitrary malicious code with the user's privileges when surfing the web. The update renders the previous quick fix superfluous.

Two patches (MS09-029) have been deemed necessary for the Embedded OpenType Font Engine (EOT), a Windows system component. These also prevent the execution of malicious code. EOT fonts are a special embedded font format for web sites and emails. Of currently supported Windows versions, only Server 2008 Core installations are immune.

Heise security - http://www.h-online.com/security/Six-patch...y--/news/113767